Document toolboxDocument toolbox

Synchronizing User Groups

Owned by Shirly Tsang
Last updated: Sept 22, 2024 by Alex Mandel
3 min read

When you configure and enable an authentication profile, you can use it to retrieve user group information through the third-party IdP in the profile. For security reasons, the system will delete the user group data after the expiry time. You must define how long you want the system to keep the user group information by setting the expiration window. The default is 48 hours.


Note

Although user group information expires based on your configuration, this information is stored in the system once you have associated the respective user groups with a security policy. However, the user group information will be deleted when you remove the respective security policy. In addition, if the IdP in your authentication profile renames a user group or deletes one, you must resynchronize the user groups to get the latest information.

To retrieve user group information from an IdP, complete the following on the User Group Sync tab:

Authentication Profile: Choose an enabled authentication profile you want to use to retrieve user groups. Only enabled profiles are available for selection.

For information about how to create authentication profiles, see Configuring Authentication Profiles.

For LDAP profiles (for MS AD Sync), complete the following:

  • User Name: Enter the username for logging in to the Microsoft Active Directory server.
  • Password: Enter the password for logging in to the Microsoft Active Directory server.
  • On-prem Host: Choose the host with which you have associated the LDAP profile from the list
  • Expiration: Choose the time duration you want the system to keep the user group information. The default is 48 hours.

Note

Ensure that you enable the MS AD Sync service for the synchronization to work. For information, see Enabling and Disabling Services on Servers.

Advisory

SSL related error while trying to sync the groups 
If you receive the following message: 'Error status “LDAP Result Code 52 \"Unavailable' it is an indication that the login has failed due to the user directory is unavailable for authenticating the user. Configuring LDAP over SSL in the Server should resolve the issue. In MS AD  "Active Directory Certificate Services" must be installed in order to have CA installed. If that is not done, SSL related errors may be encountered when attempting to sync the groups. 

Do keep in mind that connectivity between the AD server and Infoblox Platform encrypts the communication channel using SSL/TLS protocol depending upon what’s supported by the server/client. It is a requirement that AD Server should have at least SSL protocol enabled and a self-signed certificate applied.

To remedy this issue, the following checks to the server should be performed: 

  • Check if the AD Server has at least SSL protocol enabled and a self-signed certificate applied and is valid.
  • To verify if SSL is enabled or not, please check the value for:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\DisabledbyDefault (1 is enabled and 0 is disabled)
  • Please note that SSL and TLS are just sets of protocols but you will still require a certificate to digitally bind a cryptographic key.

For information on how to enable Transport Layer Security (TLS) protocol, see Configuring DNS Forwarding Proxy.


For SAML profiles, complete the following:

  • Admin Token: This is the authorization token from the IdP. Depending on the IdP you have selected in the authentication profile, refer to the respective vendor documentation on how to acquire an admin or API token.
  • Expiration: Choose the time duration you want the system to keep the user group information. The default is 48 hours.

For SAML profiles, complete the following:

  • Admin Token: This is the authorization token from the IdP. Depending on the IdP you have selected in the authentication profile, refer to the respective vendor documentation on how to acquire an admin or API token.
  • IdP Domain: This is the IdP domain for the IdP you set up.
  • Expiration: Choose the time duration you want the system to keep the user group information. The default is 48 hours.

Click Sync. When the synchronization is complete, available user groups are displayed in the Synced User Groups panel. 

The synchronized user groups are now available when you configure security policies. For information about security policies, see Configuring Security Policies.

The Synced User Groups panel displays the following information:

  • User Group: The name of the user group.
  • Profile: The name of the authentication profile used to retrieve the user group.
  • Identity Provider: The IdP used to retrieve the user group information.
  • Expires At: The date and time when the user group information expires.

For more information about access authentication, see the following: